Using Let’s Encrypt with GitLab Omnibus

May 8th, 2017

Encryption is a virtual necessity in the digital age. That’s why I love Let’s Encrypt, you can get a free SSL for any of your sites. I while it's fairly easy to install on a regular Apache install, getting it to work on a GitLab Omnibus install is a little tricky.

For the most part I followed one of DigitalOcean’s excellent tutorials on the process, but it wasn’t 100%.

The main problem I had is that the included version of Nginx in the GitLab Omnibus package is difficult to configure to allow Let’s Encrypt to register and renew a certificate. The culprit is that Let’s Encrypt need to register a certificate using HTTP and not HTTPS, but the settings on the above article don’t allow that. But there is a work around.

About half way down on GitLab Issue 1095, Tobias Brunner goes into detail about using a custom nignx config that allows Let's Encrypt to talk to the .well-known directory over HTTP while redirect all your other traffic to HTTPS.

When you combine those two posts you get a working Let’s Encrypt certificate on an GitLab Omnibus install.